The UK’s High Court ruled that online gambling provider Sky Betting & Gaming (“SBG”) – part of the Flutter Entertainment group which includes FanDuel– acted unlawfully and breached a customer’s data protection rights when it obtained his personal data through cookies and used it to profile him and deliver personalised direct marketing.
This landmark ruling made front page of The Observer, along with further reporting on the claimant. The case was brought by AWO, and further details on the case can be found here.
Background
SBG, one of the UK’s largest online gambling operators with brands like Sky Bet, Sky Casino or Sky Vegas, collects vast amounts of personal data about its users’ gambling and other online behaviour to profile them and target them with marketing. The Defendants (Bonne Terre Limited and Hestview Limited, the corporate entities through which SBG operates its brands) took gambling behaviours and turned them into code. The scale of that processing and profiling has attracted considerable U.S. press attention.
The judgment
The Court found that for the entire period of the claim, SBG had no lawful basis to collect the claimant’s data through cookies, to profile him for marketing purposes or to serve him with direct marketing.
The High Court judgment recognises that online gambling is a particularly risky environment in which users’ discernment and autonomy can be impaired, such that controllers have heightened obligations to ensure that valid consent has been provided. This is a powerful reminder to all data controllers that the key attributes of consent under the UK GDPR – “freely given”, “specific”, “informed” and “unambiguous” – set a high standard, and that the context in which consent to data processing is sought is important.
Implications
The groundbreaking ruling is a legal first and could have major implications for the multi-billion-pound online gambling sector in the UK. It raises the prospect that not only SBG, but other gambling companies have been illegally profiling thousands – if not tens of thousands – of their vulnerable customers for years. The case also has consequences for all controllers that rely on consent and for the online advertising industry.
The proceedings also confirmed and further revealed the extent of sharing of personal data by online gambling operators with third parties through the AdTech ecosystem. A report by Cracked Labs documenting the sharing of personal data by SBG with dozens of companies in the AdTech industry was provided in evidence and confirmed as accurate by SBG’s witnesses.
The judgment also reinforces the reprimand given by the Information Commissioner’s Office to SBG’s parent company in September 2024 as a result of submissions made by AWO on behalf of Clean Up Gambling. The ICO’s investigation had found that a pixel embedded within the Sky Bet website had facilitated the setting of approximately 40 third-party marketing cookies without users’ valid consent.
Overall, the findings on lawful bases for profiling and online advertising, in particular on consent, should be a warning to the wider online advertising industry. The assessment is stringent, especially in higher risk environments (such as gambling), and controllers must be able to conclusively demonstrate the legality of their processing.